From fefb1aab4aa16ad151ba7cdae2a53897afcbe58e Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Wed, 4 Jan 2017 12:12:16 +1100
Subject: [PATCH 1/4] [system/debsecan] List remotely-exploitable CVEs
 separately

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 5f63e679..3fbb58cf 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -13,6 +13,8 @@ system (using debsecan). Might work on other distib, who knows...
     env.suite jessie
     env.fixed_warn 1
     env.fixed_critical 1000
+    env.remote_warn 1
+    env.remote_critical 10
 
 =head1 AUTHORS
 
@@ -53,6 +55,8 @@ if [ ${SUITE} = ${0} ]; then
 fi
 FIXEDWARN=${fixed_warning:-1}
 FIXEDCRIT=${fixed_critical:-1000}
+REMOTEWARN=${remote_warning:-1}
+REMOTECRIT=${remote_critical:-10}
 
 CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 if [ "$1" = "config" ] ; then
@@ -63,8 +67,16 @@ graph_vlabel number of CVE
 graph_category system
 graph_period second
 graph_info This graph show the number of known vulnerabilities present on your system. Use debsecan to see details.
+remote.label remote
+remote.colour FF0000
+remote.type GAUGE
+remote.draw AREASTACK
+remote.min 0
+remote.info The number of remotely exploitable CVEs with any priority
+remote.warning ${REMOTEWARN}
+remote.critical ${REMOTECRIT}
 high.label high
-high.colour FF0000
+high.colour F70000
 high.type GAUGE
 high.draw AREASTACK
 high.min 0
@@ -101,24 +113,29 @@ fi
 CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
 OUT=`mktemp -t debsecan.XXXXXX`
+REMOTE=`mktemp -t debsecan.XXXXXX`
 HIGH=`mktemp -t debsecan.XXXXXX`
 MEDIUM=`mktemp -t debsecan.XXXXXX`
 LOW=`mktemp -t debsecan.XXXXXX`
 OTHER=`mktemp -t debsecan.XXXXXX`
 FIXED=`mktemp -t debsecan.XXXXXX`
 debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
-grep 'high urgency' ${OUT} > ${HIGH}
-grep 'medium urgency' ${OUT} > ${MEDIUM}
-grep 'low urgency)' ${OUT} > ${LOW}
+grep 'remotely' ${OUT} > ${REMOTE}
+grep 'high urgency' ${OUT} | grep -v 'remotely' > ${HIGH}
+grep 'medium urgency' ${OUT} | grep -v 'remotely' > ${MEDIUM}
+grep 'low urgency)' ${OUT} | grep -v 'remotely' > ${LOW}
 grep '(fixed' ${OUT} > ${FIXED}
 
 high=`cat ${HIGH} | wc -l`
+remote=`cat ${REMOTE} | wc -l`
 medium=`cat ${MEDIUM} | wc -l`
 low=`cat ${LOW} | wc -l`
 other=`cat ${OTHER} | wc -l`
 fixed=`cat ${FIXED} | wc -l`
 
 cat <<EOF
+remote.value $remote
+remote.extinfo `echo $(cut -f 2 -d" " ${REMOTE} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 high.value $high
 high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 medium.value $medium
@@ -130,5 +147,3 @@ other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVE
 fixed.value $fixed
 fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
 EOF
-
-rm -f ${OUT} ${HIGH} ${MEDIUM} ${LOW} ${FIXED} ${OTHER}

From f6b8e2c1e16a52694f9ad2f535a2a21b4c8f8dc3 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Wed, 4 Jan 2017 12:48:25 +1100
Subject: [PATCH 2/4] [system/debsecan] Don't use temporary files and fix
 shellcheck warnings

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 71 ++++++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 37 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 3fbb58cf..ae8e93e5 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -48,8 +48,8 @@ if [ ! -x /usr/bin/debsecan ]; then
 fi
 
 # Determine suite from filename...
-SUITE=`echo $0 | sed 's/.*_//'`
-if [ ${SUITE} = ${0} ]; then
+SUITE=$(echo "$0" | sed 's/.*_//')
+if [ "${SUITE}" = "${0}" ]; then
 	# ...or fall back onto configuration in environment
 	SUITE=${suite:-sid}
 fi
@@ -58,7 +58,6 @@ FIXEDCRIT=${fixed_critical:-1000}
 REMOTEWARN=${remote_warning:-1}
 REMOTECRIT=${remote_critical:-10}
 
-CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 if [ "$1" = "config" ] ; then
   cat <<EOF_
 graph_title DebSecan : vulnerabilities for ${SUITE}
@@ -76,7 +75,7 @@ remote.info The number of remotely exploitable CVEs with any priority
 remote.warning ${REMOTEWARN}
 remote.critical ${REMOTECRIT}
 high.label high
-high.colour F70000
+high.colour FF5500
 high.type GAUGE
 high.draw AREASTACK
 high.min 0
@@ -110,40 +109,38 @@ EOF_
   exit 0
 fi
 
+ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
+REMOTE=$(echo "$ALL" | grep 'remotely')
+NONREMOTE=$(echo "$ALL" | grep -v 'remotely')
+
+HIGH=$(echo "${NONREMOTE}" | grep 'high urgency')
+MEDIUM=$(echo "${NONREMOTE}" | grep 'medium urgency')
+LOW=$(echo "${NONREMOTE}" | grep 'low urgency')
+OTHER=$(echo "${NONREMOTE}" | grep -v 'urgency')
+FIXED=$(echo "${ALL}" | grep '(fixed')
+
+remote_count=$(echo "${REMOTE}" | wc -l)
+high_count=$(echo "${HIGH}" | wc -l)
+medium_count=$(echo "${MEDIUM}" | wc -l)
+low_count=$(echo "${LOW}" | wc -l)
+other_count=$(echo "${OTHER}" | wc -l)
+fixed_count=$(echo "${FIXED}" | wc -l)
+
 CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
-OUT=`mktemp -t debsecan.XXXXXX`
-REMOTE=`mktemp -t debsecan.XXXXXX`
-HIGH=`mktemp -t debsecan.XXXXXX`
-MEDIUM=`mktemp -t debsecan.XXXXXX`
-LOW=`mktemp -t debsecan.XXXXXX`
-OTHER=`mktemp -t debsecan.XXXXXX`
-FIXED=`mktemp -t debsecan.XXXXXX`
-debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
-grep 'remotely' ${OUT} > ${REMOTE}
-grep 'high urgency' ${OUT} | grep -v 'remotely' > ${HIGH}
-grep 'medium urgency' ${OUT} | grep -v 'remotely' > ${MEDIUM}
-grep 'low urgency)' ${OUT} | grep -v 'remotely' > ${LOW}
-grep '(fixed' ${OUT} > ${FIXED}
-
-high=`cat ${HIGH} | wc -l`
-remote=`cat ${REMOTE} | wc -l`
-medium=`cat ${MEDIUM} | wc -l`
-low=`cat ${LOW} | wc -l`
-other=`cat ${OTHER} | wc -l`
-fixed=`cat ${FIXED} | wc -l`
-
+# shellcheck disable=SC2005 disable=SC2046
+# The nested $(echo ...)s are needed to yet the newlines
 cat <<EOF
-remote.value $remote
-remote.extinfo `echo $(cut -f 2 -d" " ${REMOTE} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-high.value $high
-high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-medium.value $medium
-medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-low.value $low
-low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-other.value $other
-other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-fixed.value $fixed
-fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
+remote.value $remote_count
+remote.extinfo $(echo $(echo "${REMOTE}" | cut -f 2 -d " "| uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+high.value $high_count
+high.extinfo $(echo $(echo "${HIGH}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+medium.value $medium_count
+medium.extinfo $(echo $(echo "${MEDIUM}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+low.value $low_count
+low.extinfo $(echo $(echo "${LOW}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+other.value $other_count
+other.extinfo $(echo $(echo "${OTHER}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+fixed.value $fixed_count
+fixed.extinfo $(echo $(echo "${FIXED}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
 EOF

From 35cf684e24c63b92a6c9ed731d36cae31615adcc Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Wed, 4 Jan 2017 16:19:44 +1100
Subject: [PATCH 3/4] [debsecan] Update colours

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index ae8e93e5..ff126355 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -75,13 +75,13 @@ remote.info The number of remotely exploitable CVEs with any priority
 remote.warning ${REMOTEWARN}
 remote.critical ${REMOTECRIT}
 high.label high
-high.colour FF5500
+high.colour DD2200
 high.type GAUGE
 high.draw AREASTACK
 high.min 0
 high.info The number of CVEs marked high priority
 medium.label medium
-medium.colour FFA500
+medium.colour FFAA00
 medium.type GAUGE
 medium.draw AREASTACK
 medium.min 0
@@ -93,7 +93,7 @@ low.draw AREASTACK
 low.min 0
 low.info The number of CVEs marked low priority
 other.label other
-other.colour 00A5FF
+other.colour 00AAFF
 other.type GAUGE
 other.draw AREASTACK
 other.min 0

From 475c6ae9da9cf5dc84f84863affcf1e5b1de38c5 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Thu, 5 Jan 2017 13:57:56 +1100
Subject: [PATCH 4/4] [debsecan] More verbose errors

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/system/debsecan | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index ff126355..e52ac2f1 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -37,13 +37,14 @@ if [ "$1" = "autoconf" ] ; then
   if [ -x /usr/bin/debsecan ]; then
     echo yes
   else
-    echo no
+    echo 'no (/usr/bin/debsecan not found)'
   fi
   exit 0
 fi
 
 # Fail if we don't have debsecan
 if [ ! -x /usr/bin/debsecan ]; then
+  echo 'error: /usr/bin/debsecan not found' >&2
   exit 1
 fi